Make TLS connections to a remote wallet non-mandatory (#7953)

* disable-remote-signer-tls flag

* use flag in edit-config

* send requests without TLS

* change warning message

* fix account list output test

Co-authored-by: Preston Van Loon <preston@prysmaticlabs.com>
Co-authored-by: prylabs-bulldozer[bot] <58059840+prylabs-bulldozer[bot]@users.noreply.github.com>

validator/accounts/accounts_list_test.go

@@ -381,6 +381,7 @@ func TestListAccounts_RemoteKeymanager(t *testing.T) {
 		publicKeys: pubKeys,
 		opts: &remote.KeymanagerOpts{
 			RemoteCertificate: &remote.CertificateConfig{
+				RequireTls:     true,
 				ClientCertPath: "/tmp/client.crt",
 				ClientKeyPath:  "/tmp/client.key",
 				CACertPath:     "/tmp/ca.crt",
@@ -407,6 +408,7 @@ func TestListAccounts_RemoteKeymanager(t *testing.T) {
 
 		Configuration options
 		Remote gRPC address: localhost:4000
+		Require TLS: true
 		Client cert path: /tmp/client.crt
 		Client key path: /tmp/client.key
 		CA cert path: /tmp/ca.crt
@@ -424,9 +426,9 @@ func TestListAccounts_RemoteKeymanager(t *testing.T) {
 	*/
 
 	// Expected output format definition
-	const prologLength = 10
+	const prologLength = 11
 	const configOffset = 4
-	const configLength = 4
+	const configLength = 5
 	const accountLength = 4
 	const nameOffset = 1
 	const keyOffset = 2

validator/accounts/cmd_wallet.go

@@ -22,6 +22,7 @@ var WalletCommands = &cli.Command{
 				flags.WalletDirFlag,
 				flags.KeymanagerKindFlag,
 				flags.GrpcRemoteAddressFlag,
+				flags.DisableRemoteSignerTlsFlag,
 				flags.RemoteSignerCertPathFlag,
 				flags.RemoteSignerKeyPathFlag,
 				flags.RemoteSignerCACertPathFlag,
@@ -53,6 +54,7 @@ var WalletCommands = &cli.Command{
 			Flags: cmd.WrapFlags([]cli.Flag{
 				flags.WalletDirFlag,
 				flags.GrpcRemoteAddressFlag,
+				flags.DisableRemoteSignerTlsFlag,
 				flags.RemoteSignerCertPathFlag,
 				flags.RemoteSignerKeyPathFlag,
 				flags.RemoteSignerCACertPathFlag,

validator/accounts/prompt/prompt.go

@@ -69,6 +69,7 @@ func InputDirectory(cliCtx *cli.Context, promptText string, flag *cli.StringFlag
 // InputRemoteKeymanagerConfig via the cli.
 func InputRemoteKeymanagerConfig(cliCtx *cli.Context) (*remote.KeymanagerOpts, error) {
 	addr := cliCtx.String(flags.GrpcRemoteAddressFlag.Name)
+	requireTls := !cliCtx.Bool(flags.DisableRemoteSignerTlsFlag.Name)
 	crt := cliCtx.String(flags.RemoteSignerCertPathFlag.Name)
 	key := cliCtx.String(flags.RemoteSignerKeyPathFlag.Name)
 	ca := cliCtx.String(flags.RemoteSignerCACertPathFlag.Name)
@@ -83,7 +84,7 @@ func InputRemoteKeymanagerConfig(cliCtx *cli.Context) (*remote.KeymanagerOpts, e
 			return nil, err
 		}
 	}
-	if crt == "" {
+	if requireTls && crt == "" {
 		crt, err = promptutil.ValidatePrompt(
 			os.Stdin,
 			"Path to TLS crt (such as /path/to/client.crt)",
@@ -92,7 +93,7 @@ func InputRemoteKeymanagerConfig(cliCtx *cli.Context) (*remote.KeymanagerOpts, e
 			return nil, err
 		}
 	}
-	if key == "" {
+	if requireTls && key == "" {
 		key, err = promptutil.ValidatePrompt(
 			os.Stdin,
 			"Path to TLS key (such as /path/to/client.key)",
@@ -101,7 +102,7 @@ func InputRemoteKeymanagerConfig(cliCtx *cli.Context) (*remote.KeymanagerOpts, e
 			return nil, err
 		}
 	}
-	if ca == "" {
+	if requireTls && ca == "" {
 		ca, err = promptutil.ValidatePrompt(
 			os.Stdin,
 			"Path to certificate authority (CA) crt (such as /path/to/ca.crt)",
@@ -110,20 +111,30 @@ func InputRemoteKeymanagerConfig(cliCtx *cli.Context) (*remote.KeymanagerOpts, e
 			return nil, err
 		}
 	}
-	crtPath, err := fileutil.ExpandPath(strings.TrimRight(crt, "\r\n"))
-	if err != nil {
-		return nil, errors.Wrapf(err, "could not determine absolute path for %s", crt)
+
+	crtPath, keyPath, caPath := "", "", ""
+	if crt != "" {
+		crtPath, err = fileutil.ExpandPath(strings.TrimRight(crt, "\r\n"))
+		if err != nil {
+			return nil, errors.Wrapf(err, "could not determine absolute path for %s", crt)
+		}
 	}
-	keyPath, err := fileutil.ExpandPath(strings.TrimRight(key, "\r\n"))
-	if err != nil {
-		return nil, errors.Wrapf(err, "could not determine absolute path for %s", crt)
+	if key != "" {
+		keyPath, err = fileutil.ExpandPath(strings.TrimRight(key, "\r\n"))
+		if err != nil {
+			return nil, errors.Wrapf(err, "could not determine absolute path for %s", crt)
+		}
 	}
-	caPath, err := fileutil.ExpandPath(strings.TrimRight(ca, "\r\n"))
-	if err != nil {
-		return nil, errors.Wrapf(err, "could not determine absolute path for %s", crt)
+	if ca != "" {
+		caPath, err = fileutil.ExpandPath(strings.TrimRight(ca, "\r\n"))
+		if err != nil {
+			return nil, errors.Wrapf(err, "could not determine absolute path for %s", crt)
+		}
 	}
+
 	newCfg := &remote.KeymanagerOpts{
 		RemoteCertificate: &remote.CertificateConfig{
+			RequireTls:     requireTls,
 			ClientCertPath: crtPath,
 			ClientKeyPath:  keyPath,
 			CACertPath:     caPath,

validator/accounts/wallet_create_test.go

@@ -221,6 +221,7 @@ func TestCreateWallet_Remote(t *testing.T) {
 	walletDir, _, walletPasswordFile := setupWalletAndPasswordsDir(t)
 	wantCfg := &remote.KeymanagerOpts{
 		RemoteCertificate: &remote.CertificateConfig{
+			RequireTls:     true,
 			ClientCertPath: "/tmp/client.crt",
 			ClientKeyPath:  "/tmp/client.key",
 			CACertPath:     "/tmp/ca.crt",

validator/accounts/wallet_edit_test.go

@@ -30,6 +30,7 @@ func TestEditWalletConfiguration(t *testing.T) {
 
 	originalCfg := &remote.KeymanagerOpts{
 		RemoteCertificate: &remote.CertificateConfig{
+			RequireTls:     true,
 			ClientCertPath: "/tmp/a.crt",
 			ClientKeyPath:  "/tmp/b.key",
 			CACertPath:     "/tmp/c.crt",
@@ -42,6 +43,7 @@ func TestEditWalletConfiguration(t *testing.T) {
 
 	wantCfg := &remote.KeymanagerOpts{
 		RemoteCertificate: &remote.CertificateConfig{
+			RequireTls:     true,
 			ClientCertPath: "/tmp/client.crt",
 			ClientKeyPath:  "/tmp/client.key",
 			CACertPath:     "/tmp/ca.crt",